Today the CISA NCCIC-ICS published five control system
security advisories for products from Rockwell Automation (2), ICONICS,
Mitsubishi Electric, and Johnson Controls; and six medical device security
advisories for products from BD, BIOTRONIC and Baxter (6). They also updated
the Treck TCP/IP advisory that was published earlier this week.
FactoryTalk View SE Advisory
This advisory
describes four vulnerabilities in the Rockwell FactoryTalk View SE. The vulnerabilities
were reported by the Zero Day Initiative. Rockwell has a new version that mitigates
the vulnerabilities. There is no indication that the researchers have been
provided an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• Improper input validation - CVE-2020-12029,
• Improper restriction of
operations within a memory buffer - CVE-2020-12031,
• Permissions, privileges, and
access control - CVE-2020-12028, and
• Exposure of sensitive information
to an unauthorized actor - CVE-2020-12027
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow a remote authenticated
attacker to manipulate data of affected devices.
NOTE: These vulnerabilities were discovered in the Pwn-2-Own
competition at this year’s S4 Security conference in Miami, Florida.
FactoryTalk Services Platform Advisory
This advisory
describes an improper input validation vulnerability in the Rockwell FactoryTalk
Services Platform. No vulnerability disclosure information is provided in the
advisory. Rockwell provides generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an unauthenticated attacker
to execute remote COM objects with elevated privileges.
NOTE: These vulnerabilities were discovered in the Pwn-2-Own
competition at this year’s S4 Security conference in Miami, Florida.
ICONICS Advisory
This advisory
describes five vulnerabilities in the ICONICS GENESIS64 and GENESIS32 products.
The vulnerabilities were reported by Tobias Scharnowski, Niklas Breitfeld, Ali
Abbasi, Yehuda Anikster of Claroty; Pedro Ribeiro and Radek Domanski of
Flashback; Ben McBride of Oak Ridge National Laboratory; and Steven Seeley and
Chris Anastasio of Incite. ICONICS has patches that mitigate the
vulnerabilities. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-12011,
• Deserialization of untrusted data
(3) - CVE-2020-12015, CVE-2020-12009, and CVE-2020-12007, and
• Code injection - CVE-2020-12013
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow remote code execution or denial of
service.
NOTE: ICONICS takes an unusual approach to the publication
of security advisories. The two separate product advisories for this NCCIC-ICS
report (GENESIS64
and GENESIS32)
contains summaries of all the vulnerabilities reported to/by NCCIC-ICS (and its
predecessor, ICS-CERT) since 2011. If/when new vulnerabilities are reported,
they are added to the respective product vulnerability report.
Mitsubishi Advisory
This advisory
describes five vulnerabilities in the Mitsubishi MC Works64 MC Works32
products. The vulnerabilities were reported by Tobias Scharnowski, Niklas Breitfeld,
Ali Abbasi, Yehuda Anikster of Claroty; Pedro Ribeiro and Radek Domanski of
Flashback; Ben McBride of Oak Ridge National Laboratory; and Steven Seeley and
Chris Anastasio of Incite. Mitsubishi has patches that mitigate the
vulnerabilities. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-12011,
• Deserialization of untrusted data
(3) - CVE-2020-12015, CVE-2020-12009, and CVE-2020-12007, and
• Code injection - CVE-2020-12013
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to allow remote code execution, a
denial-of-service condition, information disclosure, or information tampering.
NOTE 1: The reporting information and CVE numbers indicate
that these are the same vulnerabilities reported in the ICONICS advisory above.
It is interesting to note the differing exploit information in the two
advisories.
NOTE 2: Mitsubishi now has a publicly available PSIRT
page.
Johnson Controls Advisory
This advisory
describes an improper verification of cryptographic signature vulnerability in
the Johnson Controls exacqVision product. The vulnerability was reported by Michael
Norris. Johnson Controls has newer versions that mitigate the vulnerability. There
is no indication that the researchers have been provided an opportunity to
verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow the execution of operating system
commands on the system. It would seem that [IMO] a social engineering attack
would be required to cause a person with administrative privileges to
potentially download and run a malicious executable.
BD Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the BD Alaris
PCU. The vulnerability is self-reported. BD provides generic workarounds to
mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause a denial of service (DoS) on
the target system and could cause the BD Alaris PCU to disconnect from the
facility’s wireless network.
NOTE: This vulnerability is one of three SACK
vulnerabilities reported in the FreeBSD and Linux kernels. It would seem to me
that the other two vulnerabilities might also be found in this product.
BIOTRONIK Advisory
This advisory
describes five vulnerabilities in the BIOTRONIK CardioMessenger II-S T-Line and
CardioMessenger II-S GSM products. The vulnerabilities were reported by Guillaume
Bour, Anniken Wium Lie, and Marie Moe. BIOTRONIK has provided generic
workarounds to mitigate the vulnerability.
The five reported vulnerabilities are:
• Improper authentication (2) - CVE-2019-18246
and CVE-2019-18252,
• Cleartext transmission of
sensitive information - CVE-2019-18248,
• Missing encryption of sensitive
data - CVE-2019-18254, and
• Storing passwords in an
accessible format - CVE-2019-18256
NCCIC-ICS reports that a relatively low-skilled attacker
with physical access to the device could exploit the vulnerabilities to obtain
sensitive data, obtain transmitted medical data from implanted cardiac devices
with the implant’s serial number or impact Cardio Messenger II product
functionality. The same attacker with adjacent access could exploit the vulnerabilities
to allow an attacker with adjacent access to influence communications between
the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network.
NOTE: See this TWITTER thread
by Marie Moe about this advisory.
Sigma Spectrum Infusion Pump Advisory
This advisory
describes six vulnerabilities in the Baxter Sigma Spectrum Infusion systems.
The vulnerabilities are self-reported. Baxter provided generic workarounds to
mitigate the vulnerabilities.
The six reported vulnerabilities are:
• Use of hard-coded passwords (3) -
CVE-2020-12039, CVE-2020-12045 and CVE-2020-12047,
• Cleartext transmission of
sensitive data - CVE-2020-12040,
• Incorrect permission assignment
for critical resource - CVE-2020-12041, and
• Operation on a resource after
expiration or release - CVE-2020-12043
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow access to sensitive data,
alteration of system configuration, and impact to system availability.
NOTE: NCCIC-ICS did not provide a link to the related Baxter
advisory.
Phoenix Hemodialysis Advisory
This advisory describes
a cleartext transmission of sensitive information vulnerability in the Baxter Phoenix
Hemodialysis Delivery System. This vulnerability is self-reported. Baxter
provides generic workarounds to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to view sensitive data.
NOTE: NCCIC-ICS did not provide a link to the related Baxter
advisory.
PrismaFlex Advisory
This advisory
describes three vulnerabilities in the Baxter PrismaFlex and PrisMax medical
systems. The vulnerabilities are self-reported. Baxter has new versions that
mitigate the vulnerabilities.
The three reported vulnerabilities are:
• Cleartext transmission of
sensitive information - CVE-2020-12036;
• Improper authentication - CVE-2020-12035,
and
• Use of hard-coded passwords - CVE-2020-12037
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to view and alter sensitive data.
NOTE: NCCIC-ICS did not provide a link to the related Baxter
advisory.
ExactaMix Advisory
This advisory
describes seven vulnerabilities in the Baxter Baxter ExactaMix systems. The
vulnerabilities are self-reported. Baxter has new versions that mitigate the
vulnerabilities.
The seven reported vulnerabilities are:
• Use of hard-coded password (2) - CVE-2020-12016
and CVE-2020-12012,
• Cleartext transmission of
sensitive information - CVE-2020-12008,
• Missing encryption of sensitive
data - CVE-2020-12032,
• Improper access control - CVE-2020-12024,
• Exposure of resource to wrong
sphere - CVE-2020-12020, and
• Improper input validation - CVE-2017-0143
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow unauthorized access to
sensitive data, alteration of system configuration, alteration of system
resources, and impact to system availability.
NOTE: NCCIC-ICS did not provide a link to the related Baxter
advisory.
Treck Update
This update
provides additional information on an advisory that was originally
published on June 16th, 2020. The new information is a link to
the Baxter
advisory on the issue.
Posts
No comments:
Post a Comment